FW: Allowing FTP and internal but nothing else

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] 
> Sent: Wednesday, March 03, 2004 10:21 AM
> To: Paul Harlow
> Cc: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: Re: Allowing FTP and internal but nothing else
> 
> 
> Le mer 03/03/2004 à 17:55, Paul Harlow a écrit :
> > I have an FTP server that I would like to filter out all external 
> > traffic except ftp and ftp-data. This same server has an internal 
> > interface that I would like to allow everything on the 
> inside to have 
> > access to. Given what I've read I have come up with this 
> general idea 
> > of what to put into a filter table for now. Please let me know what 
> > your gurus of netfilter think.
> 
> I am not a guru, but I do think you should read docs... See 
http://www.netfilter.org/ documentation section (HOWTOs and tutorials).

> iptables -I INPUT -i eth0 -j ACCEPT
> iptables -I INPUT -i eth1 -d port 21 -j ACCEPT
> iptables -I INPUT -i eth1 -d port 20 -j ACCEPT
> iptables -I INPUT -i eth1 -j deny

It won't work at all.
Firstly, -I inserts rule at top of chain. This the first rule for eth1 will be the "deny all" one (your last rule). So FTP won't work. Secondly, your FTP description is nor exact nor functional. TCP/20 is used as source by FTP server for active data transfert, so you do not need to open it in INPUT. But for passive data transfert, you need to open all unpriviledge ports range (1024:65535) to accept data connection from client. And thirdly, "deny" is not a valid target for iptables. You have to use DROP.

Netfilter is stateful and can handle FTP using conntrack. So use it :

	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A INPUT -m state --state NEW -p tcp --dport 21 \
				-j ACCEPT

This will be enough to handle the full FTP session.

To me, the full ruleset to achieve what you want should be :

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 21 \
			--syn -j ACCEPT


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Thanks!
As I said I'm severly new to IPTables so it's all expirementation now and I would never have been able to come up with your last lines here. I have used www.netfilter.org to get where I am this far.
My question about your "full ruleset" of:

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 21 --syn -j ACCEPT

This doesn't appear to cover TCP port 20 for ftp-data conns. Or would that be covered by the RELATED tag?

Thanks again.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux